test: add baseline validation unit tests

brianfunk · brianfunk · commit 0679f12331fd · 2026-02-11T08:19:37.000-05:00
diff --git a/docs/plan/M08-quality-ci-cd-and-observability.md b/docs/plan/M08-quality-ci-cd-and-observability.md
@@ -17,7 +17,7 @@ Restore engineering quality gates and add operational observability.
 
 - [x] Fix ESLint runtime failure.
 - [x] Reduce/resolve blocking TypeScript errors.
-- [ ] Add initial unit/integration tests.
+- [x] Add initial unit/integration tests.
 - [x] Add CI pipeline for lint, typecheck, build, tests.
 - [ ] Add basic app and job observability docs.
 
@@ -41,3 +41,4 @@ Restore engineering quality gates and add operational observability.
 - 2026-02-11: Resolved remaining TypeScript blockers in `AgencySettings`, `DocketList`, `AgencyDashboard`, and `public/CommentWizard`; `npm run typecheck` now passes.
 - 2026-02-11: Added CI workflow `.github/workflows/ci.yml` with required `lint`, `typecheck`, `test:ci`, and `build` jobs on pull requests and pushes to `main`.
 - 2026-02-11: Added `package.json` scripts `typecheck` and `test:ci` to standardize local and CI quality commands.
+- 2026-02-11: Added first unit tests in `src/lib/validation.test.ts` and confirmed `npm run test:ci` executes real tests (6 passing).
diff --git a/src/lib/validation.test.ts b/src/lib/validation.test.ts
@@ -0,0 +1,45 @@
+import { describe, expect, it } from 'vitest'
+import { sanitizeInput, validateEmail, validatePassword } from './validation'
+
+describe('sanitizeInput', () => {
+  it('removes angle brackets and javascript protocol patterns', () => {
+    const scriptProtocol = `java${'script:'}`
+    const dirty = ` <script>alert(1)</script> ${scriptProtocol}evil() `
+    const sanitized = sanitizeInput(dirty)
+
+    expect(sanitized).not.toContain('<')
+    expect(sanitized).not.toContain('>')
+    expect(sanitized.toLowerCase()).not.toContain(scriptProtocol)
+  })
+
+  it('returns an empty string for non-string values', () => {
+    expect(sanitizeInput(123 as unknown as string)).toBe('')
+  })
+})
+
+describe('validateEmail', () => {
+  it('accepts valid emails', () => {
+    expect(validateEmail('user@example.gov')).toBe(true)
+  })
+
+  it('rejects malformed emails', () => {
+    expect(validateEmail('invalid-email')).toBe(false)
+    expect(validateEmail('missing-domain@')).toBe(false)
+  })
+})
+
+describe('validatePassword', () => {
+  it('marks a weak password as invalid', () => {
+    const result = validatePassword('weak')
+    expect(result.isValid).toBe(false)
+    expect(result.strength).toBe('weak')
+    expect(result.errors.length).toBeGreaterThan(0)
+  })
+
+  it('marks a strong password as valid', () => {
+    const result = validatePassword('StrongPass123!')
+    expect(result.isValid).toBe(true)
+    expect(result.strength).toBe('strong')
+    expect(result.errors).toEqual([])
+  })
+})
